Bosch and Genetec. End-to-end security, day after day

Some of the world’s biggest crimes go unnoticed, until it’s too late

As the way we live and work becomes increasingly sophisticated, complex and connected, the benefits are clear to see as things get more streamlined and intuitive with every passing day. But whilst many enjoy the open connectivity that the Internet of Things enables, they don’t realize they’re vulnerable to cybercrime.

In recent years, hackers have been responsible for security breaches on every major continent, across every business sector. In fact, according to The Official 2017 Annual Cybercrime Report, cybercrime damages will be costing the world a staggering $6 trillion by 2021. Not overall, but every year.

This trend clearly extended the discussion within video security from delivering highest quality of relevant images and management of large data volume to how to keep video data secure in an increasingly connected world.

How do you safeguard against something that can’t be seen?

Video surveillance data is particularly susceptible to security breaches due to the method often used to connect across local and global networks. Typically, a number of edge components (cameras) send their data to core components (servers) via a network. Sounds simple. And that’s the problem, because to a digital intruder, this method of data transfer is easy pickings.

All it takes is a single weak link in a surveillance network for hackers to gain access to, and jeopardize, an entire data system. There is an obvious way to prevent this: don’t have any weak links. How? By employing a data security system that’s been configured by experts with vast cybersecurity knowledge to make it completely effective from end-to-end.

It’s impossible to put a figure on how many video management systems are in use around the world. However, Genetec is a major player in this arena. And when it comes to leading the way in mission-critical video security projects, nobody comes close.

Having access to the VMS expertise of Genetec, combined with the years of constant innovation behind Bosch surveillance cameras, is certainly good news for you, and bad news for cyber criminals.

Let’s not forget the harsh reality; hackers are everywhere. Thankfully, so are Bosch and Genetec.

The key to total security is total trust

There’s little point focusing on the security of a single component when there’s an entire infrastructure to consider; one that could carry a weak link where hackers could gain access. That’s why all network-wide communications between Bosch cameras and Genetec Archiver and Security Center are assigned an authentication key (Bosch factory default or customer-specific certificates). This electronic signature enables us to verify the legitimacy of network components like cameras or storage units, and viewing clients, ensuring that you can build an infrastructure of trust before network-wide communications start.

The best form of protection is encryption

A high percentage of online crimes involve the illegal capture of video data, so your chosen method of safeguarding your system needs to be consistently effective and completely reliable, and this is precisely why encryption of data streams and stored data is not just paramount, but non-negotiable.
As you’d expect from a progressive brand like Bosch, we’ve been implementing encryption at hardware level for some time. Specifically, all Bosch IP-cameras have a trusted platform module (TPM) installed at factory stage. The TPM safely stores cryptographic keys to enable encryption of all live video data, which is then sent from the camera to the Genetec archiver using SRTP (Secure Real-Time Transport Protocol), which further protects the integrity of the data. And for additional reassurance, all encrypted communication between Genetec Archiver and Genetec Clients is managed via SRTP or HTTPS.

Another advantage of using SRTP throughout the whole infrastructure is that customers are enabled to setup a secured multicast network, so you get security and good network scalability at the same time.

With all security measures at hardware level combined with SRTP Bosch and Genetec offer an end-to-end encryption solution. All video data is encrypted at the moment it is captured and remains encrypted throughout the whole video security infrastructure. Compared to transmitting RTSP via a HTTPS tunnel this can create a saving on computing power of 50%, because additional encryption is not needed.

If the system doesn’t know you, you don’t get into the system

Genetec are the experts in secure video management systems, so they know that the only way to outsmart a hacker is to think like a hacker. By doing so, they’ve developed a software system that offers multiple ways to manage user access rights, ensuring that only authenticated and authorized parties can access data.

Security is established via a ‘permissioning’ scheme based on privileges accumulated by specific users and groups. It’s like an updated version of the familiar ‘user profile’, and is being received positively by our clients, if not the digital intruders.

Easy management of user access rights

The Genetec Security Center has an incredibly comprehensive set of “Privileges” at its disposal, which gives administrators complete control, at a granular level, over the permissions each user or user group can select in order to gain access to the system. The options include over 300 privileges that can be denied or granted to any user, or to an entire user group.

Any users added to a certain group will automatically inherit all existing privileges assigned to that group. Several examples of how sophisticated these privileges can be, include the ability for a user to view live video, view playback, add a bookmark to a video timeline, and even move a PTZ (pan, tilt and zoom) camera.

Synchronized. Centralized. Better protected

For an extra level of security and support, Security Center also integrates with Active Directory, allowing user management to be monitored and centralized at Windows level. In addition to individual users, user groups from Active Directory can also be synchronized with Security Center, so that when new users are added or removed from an Active Directory User Group, the action will be replicated at Security Center. As mentioned previously, new users will automatically inherit existing Security Center privileges defined for that group.

How Bosch secures its cameras

Passwords as we know them today are still an essential layer of security enforcement at the initial set-up stage. Thereafter, the Genetec archiver uses a client certificate to authenticate themselves to the Bosch camera. As an extra measure, the client certificate must be signed by a trusted 3rd party whose identity has been previously installed on the root of the camera.

In addition, the cameras can disable any attempt to execute 3rd party software, only Bosch-approved firmware updates will be accepted, unique Bosch-authenticated certificates are factory-installed on all cameras, and any cryptographic operations, for authentication and encryption, are only executed inside the unique built-in Trusted Platform Module (TPM).

How Genetec secures its management software and clients

As long as passwords remain in use, the issue of poor entropy will persist; this is when passwords are badly chosen, and therefore at greater risk of being guessed as the majority of words used have a maximum character and are memorable to avoid being forgotten. If the password can’t be guessed, then a more heavy-handed approach will be taken, such as hacking.

Certificates aren’t affected in the same way, which is why Genetec uses certificate authentication for its Security Center management software and clients. The video management system interacts directly with the Bosch cameras using certificates for authentication. Cryptographic keys used for authentication as well as encryption are safely stored inside the Bosch camera’s TPM.

Genetec Security Center offers, depending on specific requirements, either customer-signed certificates, certificates of the Windows certificate’s store or certificates issued by a trusted authority; an example of a certificate authority (CA) is the Bosch in-house authority, Escrypt.

With Bosch and Genetec, you can feel confident that your data is protected by one of the world’s best security solutions, end-to-end, day after day.